chore: lock down workflows

.github/actions/build-vsix/action.yml

@@ -54,8 +54,10 @@ runs:
       shell: bash
 
     - name: Add Rustup target
-      run: rustup target add ${{ inputs.cargo_target }}
+      run: rustup target add "${CARGO_TARGET}"
       shell: bash
+      env:
+        CARGO_TARGET: ${{ inputs.cargo_target }}
 
     - name: Build Native Binaries
       run: nox --session native_build
@@ -78,13 +80,17 @@ runs:
       shell: bash
 
     - name: Build VSIX
-      run: npx vsce package --target ${{ inputs.vsix_target }} --out ms-python-insiders.vsix --pre-release
+      run: npx vsce package --target "${VSIX_TARGET}" --out ms-python-insiders.vsix --pre-release
       shell: bash
+      env:
+        VSIX_TARGET: ${{ inputs.vsix_target }}
 
     - name: Rename VSIX
       # Move to a temp name in case the specified name happens to match the default name.
-      run: mv ms-python-insiders.vsix ms-python-temp.vsix && mv ms-python-temp.vsix ${{ inputs.vsix_name }}
+      run: mv ms-python-insiders.vsix ms-python-temp.vsix && mv ms-python-temp.vsix "${VSIX_NAME}"
       shell: bash
+      env:
+        VSIX_NAME: ${{ inputs.vsix_name }}
 
     - name: Upload VSIX
       uses: actions/upload-artifact@v4

.github/actions/smoke-tests/action.yml

@@ -32,7 +32,7 @@ runs:
       shell: bash
 
     - name: Install Python requirements
-      uses: brettcannon/pip-secure-install@v1
+      uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
       with:
         options: '-t ./python_files/lib/python --implementation py'
 
@@ -61,6 +61,6 @@ runs:
       env:
         DISPLAY: 10
         INSTALL_JUPYTER_EXTENSION: true
-      uses: GabrielBB/[email protected]
+      uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
       with:
         run: node --no-force-async-hooks-checks ./out/test/smokeTest.js

.github/workflows/build.yml

@@ -8,6 +8,8 @@ on:
       - 'release/*'
       - 'release-*'
 
+permissions: {}
+
 env:
   NODE_VERSION: 20.18.0
   PYTHON_VERSION: '3.10' # YML treats 3.10 the number as 3.1, so quotes around 3.10
@@ -83,12 +85,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Checkout Python Environment Tools
         uses: actions/checkout@v4
         with:
           repository: 'microsoft/python-environment-tools'
           path: 'python-env-tools'
+          persist-credentials: false
           sparse-checkout: |
             crates
             Cargo.toml
@@ -111,6 +116,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -129,14 +136,16 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install core Python requirements
-        uses: brettcannon/pip-secure-install@v1
+        uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
         with:
           options: '-t ./python_files/lib/python --no-cache-dir --implementation py'
 
       - name: Install Jedi requirements
-        uses: brettcannon/pip-secure-install@v1
+        uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
         with:
           requirements-file: './python_files/jedilsp_requirements/requirements.txt'
           options: '-t ./python_files/lib/jedilsp --no-cache-dir --implementation py'
@@ -146,7 +155,7 @@ jobs:
           python -m pip install --upgrade -r build/test-requirements.txt
 
       - name: Run Pyright
-        uses: jakebailey/pyright-action@v2
+        uses: jakebailey/pyright-action@b5d50e5cde6547546a5c4ac92e416a8c2c1a1dfe # v2.3.2
         with:
           version: 1.1.308
           working-directory: 'python_files'
@@ -172,14 +181,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       - name: Use Python ${{ matrix.python }}
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python }}
 
       - name: Install base Python requirements
-        uses: brettcannon/pip-secure-install@v1
+        uses: brettcannon/pip-secure-install@92f400e3191171c1858cc0e0d9ac6320173fdb0c # v1.0.0
         with:
           requirements-file: '"${{ env.special-working-directory-relative }}/requirements.txt"'
           options: '-t "${{ env.special-working-directory-relative }}/python_files/lib/python" --no-cache-dir --implementation py'
@@ -211,12 +221,14 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: ${{ env.special-working-directory-relative }}
+          persist-credentials: false
 
       - name: Checkout Python Environment Tools
         uses: actions/checkout@v4
         with:
           repository: 'microsoft/python-environment-tools'
           path: ${{ env.special-working-directory-relative }}/python-env-tools
+          persist-credentials: false
           sparse-checkout: |
             crates
             Cargo.toml
@@ -358,7 +370,7 @@ jobs:
         env:
           TEST_FILES_SUFFIX: testvirtualenvs
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testSingleWorkspace
           working-directory: ${{ env.special-working-directory }}
@@ -367,7 +379,7 @@ jobs:
       - name: Run single-workspace tests
         env:
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testSingleWorkspace
           working-directory: ${{ env.special-working-directory }}
@@ -376,7 +388,7 @@ jobs:
       - name: Run multi-workspace tests
         env:
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testMultiWorkspace
           working-directory: ${{ env.special-working-directory }}
@@ -385,7 +397,7 @@ jobs:
       - name: Run debugger tests
         env:
           CI_PYTHON_VERSION: ${{ matrix.python }}
-        uses: GabrielBB/[email protected]
+        uses: GabrielBB/xvfb-action@b706e4e27b14669b486812790492dc50ca16b465 # v1.7
         with:
           run: npm run testDebugger
           working-directory: ${{ env.special-working-directory }}
@@ -415,12 +427,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Checkout Python Environment Tools
         uses: actions/checkout@v4
         with:
           repository: 'microsoft/python-environment-tools'
           path: ${{ env.special-working-directory-relative }}/python-env-tools
+          persist-credentials: false
           sparse-checkout: |
             crates
             Cargo.toml

.github/workflows/codeql-analysis.yml

@@ -37,6 +37,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/community-feedback-auto-comment.yml

@@ -12,7 +12,7 @@ jobs:
       issues: write
     steps:
       - name: Check For Existing Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
         id: finder
         with:
           issue-number: ${{ github.event.issue.number }}
@@ -21,7 +21,7 @@ jobs:
 
       - name: Add Community Feedback Comment
         if: steps.finder.outputs.comment-id == ''
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           issue-number: ${{ github.event.issue.number }}
           body: |

.github/workflows/gen-issue-velocity.yml

@@ -5,13 +5,18 @@ on:
     - cron: '0 0 * * 2' # Runs every Tuesday at midnight
   workflow_dispatch:
 
+permissions:
+  issues: read
+
 jobs:
   generate-summary:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5

.github/workflows/info-needed-closer.yml

@@ -18,6 +18,7 @@ jobs:
         with:
           repository: 'microsoft/vscode-github-triage-actions'
           path: ./actions
+          persist-credentials: false
           ref: stable
       - name: Install Actions
         run: npm install --production --prefix ./actions

.github/workflows/issue-labels.yml

@@ -22,6 +22,7 @@ jobs:
           repository: 'microsoft/vscode-github-triage-actions'
           ref: stable
           path: ./actions
+          persist-credentials: false
 
       - name: Install Actions
         run: npm install --production --prefix ./actions

.github/workflows/lock-issues.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Lock Issues'
-        uses: dessant/lock-threads@v5
+        uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '30'